HTTP Connect Tunnel (5237)

josephium · ‎01-31-2008

Hi,

can anyone explain clearly this signature plz ? when does it fire ?

if i am seeing for example this signature fires from x.x.x.x to my mail server y.y.y.y:25 HTTP, what does this mean ?

thank you

mhellman · ‎02-01-2008

Generally speaking, HTTP connect tunnels are used by HTTP proxies to support SSL connections from browsers. The HTTP proxy basically acts as a TCP level proxy, and it doesn't care about the application layer. What this means is that just about any application can be tunneled.

see:

http://www.kb.cert.org/vuls/id/150227

There have been numerous instances where applications allowed this kind of behavior.

http://www.securityfocus.com/bid/4131/info

http://www.securityfocus.com/bid/4131/discuss

I have seen these attempts on port 25 and I'm not quite sure what the point is. Perhaps there was an SMTP service that had this problem? Or, the script is just crap. The more typical use would be to connect to an HTTP proxy (like on port 80 or 8080) and to attempt a "CONNECT mail.yourdomain.com 25" so that I can send SPAM anonymously.

clausonna · ‎02-01-2008

This alert will trigger when users establish WebEx meetings, and also for services like GoToMyPC. I've blocked any access to GoToMyPC using ACLs (inbound and outbound), but have to leave WebEx open since there's a business justification.

I'd check the IP address in question, and if it looks OK just add a Filter to prevent the alert.

I'd also suggest doing Log Pair Packets and running the results through WireShark. You'll get much more of the exchange and (hopefully) figure out if its malicious or not.

I'm hoping to get to the point where I can block this outright (except for WebEx), but I'm not quite there yet.